Best practice for passing in credentials/secrets to docker container

Are there any best practices defined out there (and examples) of how one would pass in credentials/secrets (e.g. AWS access & secret keys, REST API keys) into a CWL workflow or step? Obviously I could specify them as input string parameters and pass them through but that’s probably not the most secure way to do it.

Cwltool and Arvados support a CWL extension that lets you indicate that certain input parameters are “Secret”. Those values then get special treatment, such as being hidden from logging. I don’t know if other CWL implementations offer similar functionality, although if there’s interest it would be a good feature to incorporate into future versions of the spec.

Thank you @tetron.

For future reference, this example helped me out as I wasn’t able to find any examples or documenation of this feature in the beautifully written CWL user guide:

1 Like